This is my third and final blog in the series about Re-Thinking the Human Factor, the security awareness training I attended as part of my Marmalade Box induction. You can read Part 1 and Part 2 by following the links.
Just to recap, we’ve looked at the basics, what it means to be human, awareness and behaviour so far, this post is about culture. We’ll also consider the role metrics play and draw a few helpful conclusions.
If you’d like to experience the real thing rather than just read my account, the next workshop is on November 9th in Amsterdam and you book your place right here.
What is culture?
This part of the day made me think about culture in a way I’ve never thought about it before. A quote Bruce shared with us reminded me of a line attributed to Socrates that the unexamined life is not worth living. Ditto culture.
We set about unpicking what culture really is, what it means and how it fits with behaviour, before applying it to organisations and security. All organisations have a culture and yours will have huge implications for your security culture.
Perhaps unsurprisingly, if you want your employees to take security seriously, you need to look at it from a cultural perspective. We are all strongly influenced by culture from the moment we are born, and our individual and collective values, assumptions and rules all have a major part to play.
Security culture is influenced by an organisation’s culture
If you, in your role as EAM, CISO or consultant, want to ensure people understand how important security is, how can you influence your organisation’s culture to create the security culture you want?
The long answer is you’ll have to go on the workshop! The short answer is there are a large number of factors at work.
Creating the right culture relates to your leadership, recruitment, the metrics you use (we’ll come onto that in a sec). There’s no one-size-fits-all, it depends on factors specific to your organisation. And the answer brought together other topics we learnt about during the workshop: training, approach, leadership, rewards, creating buy-in, getting people to champion your cause.
I’ve been in marketing for many years and been a copywriter for most of them and what struck me is how much of this is marketing. Creating campaigns, influence and buy-in for information security is about ‘selling’ the idea and principles to your team or employees.
There’s a well-known saying in the world of business that you can only improve what you can measure and that holds true for security awareness training just as it does for growing a business or marketing. Which leads us on nicely to a look at metrics and measuring your success.
As in marketing, you need to know what numbers you’re measuring, or you can’t tell what progress you’ve made. But I’ll leave the detail to Bruce.
Security awareness training: Bringing it all together
I learnt a huge amount at the workshop, and not all of it was what I thought I’d learn. Even with very little prior knowledge, the SABCTM framework makes a lot of sense to me and appeals to me for lots of reasons. It brings together an understanding of the human brain, behaviour and culture, and relies on techniques I know from marketing, about selling ideas and getting people onboard with your campaign.
What I took away from the day will certainly help me in my role as Content Creator for Marmalade Box, but the really exciting results will be seen when attendees start applying this new approach to their organisations to create real change.
If you’d like to be one of them, you can book your seat at the next Re-Thinking the Human Factor security awareness training on November 9th in Amsterdam here.